-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 I've noticed an increase in clients wanting to observe a pentest. We don't prohibit this, naturally its not much fun to work with someone staring over your shoulder, but we always accommodate these requests. The downside can be when a client interferes with the engagement. I used to work for one of the big 5 and we had a client in "observing", fine. The bad thing was he was watching what we were preparing to do and calling to his company so they could be extra prepared which naturally hurt the engagement. Education is always the desired result of an assessment but you want rules on what can/can't happen. However, I would never allow a client to actually participate in the engagement, or turn over any applications/source for anything that we use. John Duquette Manager, EDS Information Assurance Services john.duquetteat_private 703.736.8593 PGP Fingerprint: 5377 4A05 6F9B B8D1 CD16 88EC DC1F BF47 51B6 380B > -----Original Message----- > From: Joe Klein [mailto:jskleinat_private] > Sent: Tuesday, June 19, 2001 02:00 AM > To: pen-testat_private > Subject: What is your policy on customers particapating in a pen > test? > > > All: > > I am hearing customers request ( and some times demand ) that > they be part of a > pen test. > > Currently, we offer the customer 4 - 8 hours of time to > review findings and show > them what we did, to access there systems. But we do this > after the pen test is > complete. > > I was wondering how other companies deal with this issue? > > J > > -----BEGIN PGP SIGNATURE----- Version: PGPfreeware 7.0.3 for non-commercial use <http://www.pgp.com> iQA/AwUBOzDdQdwfv0dRtjgLEQLbQgCg6/0qKal6n8/9dzzVA5OQZhK8Q5UAnR5P jbFnsRgDUCn9DxwUyr1PrYRV =By2O -----END PGP SIGNATURE-----
This archive was generated by hypermail 2b30 : Thu Jun 21 2001 - 11:34:49 PDT